Vuurvlieg
January 15th, 2008, 03:37
Hello,
I am reversing a target and partly trying to reconstruct some classes to be able to interact and use functions in the target.
The problem I got is that I just can't seem to get the memory layout of it right.
I will use one class as an example.
First of all, all the classes in this target inherit the same "baseclass" that looks very similar to the windows IUnknown interface. It is an abstract class that only has 3 virtual functions:
Now about the class I am trying to reconstruct, it is not one class but a few classes that inherit each other (or so it seems).
There is this abstract class lets call it 'CTemplate';
If I look at the constructor of the class:
There they move 2 vtables at class+0x0 and class+0x04.
If we look at the vtable's in memory:
So some virtual functions members being 'pure' proofs that were dealing with another abstract class.
Now actually here already comes the first problem I came across.
As I showed above it has 2 vtables, one at 0x0 and one at 0x4.
I know that from both these vtables the first 3 virtuals funcs are those from what I called IClass. I got proof for that which I will explain later (likely in another post after I got my first problem figured out).
How is this supposed to look in a high level language?
Because I wanna check out the memory layout I just make the virtual functions do something simple.
As you can see in the code above I got no code for the second vtable, my first question to you guys: how can I add something in the above define to make it generate a vtable at 0x4 with also the IClass as baseclass?
(You can do 2 things to be able to see the memory layout:
- quickly create another class that inherits the CTemplate but has no pure functions thus you can create an instance of it and check it in a debugger.
- use an undocumented compiler flag; (add the option "/d1 reportAllClassLayout" to project_settings->C/C++->CommandLine )
I have been trying to figure this out for days but I don't have enough experience with classes. I did found some interesting article on the path of me seeking for answers.
https://www.blackhat.com/presentations/bh-dc-07/Sabanal_Yason/Paper/bh-dc-07-Sabanal_Yason-WP.pdf ("https://www.blackhat.com/presentations/bh-dc-07/Sabanal_Yason/Paper/bh-dc-07-Sabanal_Yason-WP.pdf")
All input is welcome.
I am reversing a target and partly trying to reconstruct some classes to be able to interact and use functions in the target.
The problem I got is that I just can't seem to get the memory layout of it right.
I will use one class as an example.
First of all, all the classes in this target inherit the same "baseclass" that looks very similar to the windows IUnknown interface. It is an abstract class that only has 3 virtual functions:
Code:
class IClass
{
public:
virtual void AddRef( void ) = 0;
virtual void Release( void ) = 0;
virtual PVOID QueryInterface( unsigned int IID ) = 0;
}
Now about the class I am trying to reconstruct, it is not one class but a few classes that inherit each other (or so it seems).
There is this abstract class lets call it 'CTemplate';
If I look at the constructor of the class:
Code:
.text:081D4605 mov dword ptr [ebx], 8724CA8h
.text:081D460B mov dword ptr [ebx+4], 8724D08h
There they move 2 vtables at class+0x0 and class+0x04.
If we look at the vtable's in memory:
Code:
//vtable1
.data:08724CA8 dd offset __cxa_pure_virtual
.data:08724CAC dd offset __cxa_pure_virtual
.data:08724CB0 dd offset __cxa_pure_virtual
.data:08724CB4 dd offset ctemplate_vfunction1
.data:08724CB8 dd offset ctemplate_vfunction2
.data:08724CBC dd offset ctemplate_vfunction3
..... more funcs
//vtable2
.data:08724D08 dd offset __cxa_pure_virtual
.data:08724D0C dd offset __cxa_pure_virtual
.data:08724D10 dd offset __cxa_pure_virtual
.data:08724D14 dd offset ctemplate_vt2_vfunction1
So some virtual functions members being 'pure' proofs that were dealing with another abstract class.
Now actually here already comes the first problem I came across.
As I showed above it has 2 vtables, one at 0x0 and one at 0x4.
I know that from both these vtables the first 3 virtuals funcs are those from what I called IClass. I got proof for that which I will explain later (likely in another post after I got my first problem figured out).
How is this supposed to look in a high level language?
Because I wanna check out the memory layout I just make the virtual functions do something simple.
Code:
class CTemplate : public IClass
{
public:
//no implentation for the IClass funcs here, they are still pure.
virtual void function1( void ){ a = (a+1)<<1; }
virtual void function2( void ){ b = (b+1)<<1; }
virtual void function3( void ){ c = (c+1)<<1; }
CTemplate( )
{
a = b = c = 1;
}
int a;
int b;
int c;
};
As you can see in the code above I got no code for the second vtable, my first question to you guys: how can I add something in the above define to make it generate a vtable at 0x4 with also the IClass as baseclass?
(You can do 2 things to be able to see the memory layout:
- quickly create another class that inherits the CTemplate but has no pure functions thus you can create an instance of it and check it in a debugger.
- use an undocumented compiler flag; (add the option "/d1 reportAllClassLayout" to project_settings->C/C++->CommandLine )
I have been trying to figure this out for days but I don't have enough experience with classes. I did found some interesting article on the path of me seeking for answers.
https://www.blackhat.com/presentations/bh-dc-07/Sabanal_Yason/Paper/bh-dc-07-Sabanal_Yason-WP.pdf ("https://www.blackhat.com/presentations/bh-dc-07/Sabanal_Yason/Paper/bh-dc-07-Sabanal_Yason-WP.pdf")
All input is welcome.